RESTful Web Service to Authenticate User and Issue Access Token

It time to learn how to create a Web Service to authenticate user with their user name and password and how to issue a unique secure access token which our Mobile Application can use to send HTTP requests and communicate with protected web services of our API.

For a free video tutorial on how to build a user interface with Xcode and Swift to implement User Sign up, Sign in, Sign out and learn how to send HTTP Request to a Restful Web Service created in this tutorial check out this Youtube playlist.

To how to register a new user or how/save user profile details in database and how to generate a secure user password checkout my previous blog post: RESTful Web Service to Save a New User in Database. Also, the code in this blog post will be based on the code from my previous blog post and this is just to save your time and not to create a new project and then import all the dependencies again and create new service layer, Database Access Object and other classes. So let’s begin.

Access User Name and Password to Authenticate User

Below is the code example of new Root Resource class which I have called Authentication.java and it has its own @Path(“/authentication”).

The HTTP POST to this web service endpoint will access the below JSON payload which will then be converted into LoginCredentials java object:

{
"userName":"sergey@kargopolov.com",
"userPassword":"123"
}

The logic in this web service end point is to:

Accept User Login Credentials, extract user name and password and request the Service Layer object which is called authenticationService to authenticate user,

If user authentication is successful, the web service will reset the existing access token(if one exist) and,

Generate a new secure access token which can be send with other HTTP Requests by our mobile application which needs to communicate with protected web service endpoints. Protected web service endpoints are those that require user to be logged in.

AuthenticationService class to Perform User Authentication

The logic to authenticate user is delegated to AuthenticationService class and its method authenticate() which takes in as method arguments two values: userName and userPassword.

I will paste the entire class with all its methods at the end of blog post but first I will take each of its methods and will give it a little description.

Based on provided user name and password, authentication service will generate a secure user password and will then compare provided user name and generated user password with those that we have in database. If values match, authenticate() method will return user profile details. Other wise an exception will be thrown.

Issue Secure Access Token

The reset security credentials method is optional and it is up to you if you want to use it but I always do. This is so that every time user logs in a new salt, new secure password and a new access token is generated. This way even if database record gets compromised then the next time user logs in, these values are reset and the previous values can no longer be used.

The access token is generated the following way:

Read the value of salt which is current under user profile,

Concatenate the public alphanumeric value of user id and value of salt together to produce access token material. Please note that the public alphanumeric userId value id is different from the sequentially autogenerated database id record,

Use the secure value of user password to encrypt with it the value of access token material to produce the final value of access token. You can also use a SecretKey to encode the value of access token material and keep the SecretKey file outside of web application. This is another very good approach. But then you will also need to implement a SecretKey rotation, so that the SecretKey change from time to time. In this example, we are are using Password Based Encryption and we use secure password as encryption key and the value of secure password and the value of salt changes every time user logs in.

Base64 encode the value of access token,

Split the final value of access token into two parts. They do not need to be equal and intact it is better that they are not equal. Keep one part of secure access token in database and return another part of access token back to mobile application so that it is then gets stored in keychain,

I think with the above source code available, you should be able to implement user authentication for your restful web service apis. Please let me know if you have questions my posting your comments below. Also if you are interested to learn more about RESTful Web Services checkout the page I have created with the Resources for Full Stack Mobile App Developers.